Data Processing Agreement

Introduction

This DPA applies where, in connection with the Services, Sparkle Intelligence processes Personal Data on behalf of Customer. Capitalized terms not defined herein have the meanings given in the Agreement between the parties.

1. Definitions

“Applicable Data Protection Law” means all laws and regulations relating to data protection, privacy, and the processing of Personal Data, including GDPR and UK GDPR, to the extent applicable to a party.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” have the meanings set out in Applicable Data Protection Law.

“Sub‑processor” means any processor engaged by Sparkle Intelligence to process Personal Data on behalf of Customer.

2. Scope & Roles

Customer is the Controller and appoints Sparkle Intelligence as Processor to process Personal Data solely for the purpose of providing the Services and as otherwise set forth in this DPA.

3. Processing on Instructions

Sparkle Intelligence shall process Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data to a third country, unless required to do so by law. In such case, Sparkle Intelligence will inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

If Sparkle Intelligence believes an instruction infringes Applicable Data Protection Law, it will promptly notify Customer.

4. Confidentiality

Sparkle Intelligence shall ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations and receive appropriate training regarding data protection and security.

5. Security Measures

Sparkle Intelligence shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate: (a) pseudonymization and encryption; (b) ensuring ongoing confidentiality, integrity, availability, and resilience of systems; (c) the ability to restore availability and access in a timely manner; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of security measures. A summary of measures is set out in Annex C.

6. Sub‑processors

Customer authorizes Sparkle Intelligence to engage Sub‑processors to provide the Services. Sparkle Intelligence will impose data protection obligations on Sub‑processors that are no less protective than those set out in this DPA and remains responsible for their performance. Sparkle Intelligence will maintain a list of current Sub‑processors and provide notice of changes, allowing Customer to object on reasonable grounds.

7. International Transfers

Where the processing involves a transfer of Personal Data outside the EEA/UK to a country without an adequacy decision, the parties shall rely on appropriate safeguards under Applicable Data Protection Law, including the EU Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum, as applicable. Annex D sets out the applicable modules and appendices, incorporated by reference.

8. Assistance to Controller

Sparkle Intelligence shall assist Customer, taking into account the nature of processing and the information available to Sparkle Intelligence, with (a) responses to Data Subject requests; (b) security and data protection impact assessments; and (c) consultations with supervisory authorities, in each case as reasonably necessary for Customer to comply with its obligations under Applicable Data Protection Law.

9. Personal Data Breach

Sparkle Intelligence shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and shall provide information reasonably required to help Customer meet its legal obligations.

10. Audits & Documentation

Upon reasonable notice and during normal business hours, Sparkle Intelligence shall make available to Customer information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by Customer or an independent auditor mandated by Customer, subject to reasonable confidentiality, security, and frequency limitations. Sparkle Intelligence may satisfy audit obligations by providing third‑party reports (e.g., SOC 2, ISO 27001) covering the relevant controls.

11. Return & Deletion

Upon termination or expiry of the Services, or upon Customer’s written request, Sparkle Intelligence shall delete or return all Customer Personal Data in its possession, unless retention is required by law. If deletion is not feasible, Sparkle Intelligence will continue to protect the Personal Data in accordance with this DPA and limit further processing.

12. Liability

Each party’s liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement, except to the extent such limitations are prohibited by Applicable Data Protection Law.

13. Miscellaneous

In the event of a conflict between this DPA and the Agreement, this DPA shall control with respect to the subject matter herein. If any provision is held invalid, the remainder remains in effect. This DPA will be governed by the governing law set forth in the Agreement, except where otherwise required by Applicable Data Protection Law.

Annex A — Details of Processing

Annex B — Sub‑processors

Current Sub‑processors are listed at /legal/subprocessors and may include cloud infrastructure, analytics, email delivery, and storage providers. The list includes the purpose of processing, location, and data categories processed.

Annex C — Summary of Technical & Organizational Measures

• Encryption: TLS 1.2+ in transit; AES‑256 at rest; keys managed via KMS; key rotation procedures.
• Access Control: SSO/MFA; RBAC; least privilege; access reviews; logging of administrative actions.
• Resilience: Multi‑AZ deployment; backups and tested restores; DDoS protection; capacity planning.
• Secure Development: Code review; SAST/DAST; dependency scanning; secrets scanning; CI/CD with signed artifacts.
• Monitoring: Centralized logs; SIEM; alerting on anomalies; vulnerability management with SLAs.
• Incident Response: Playbooks; roles and responsibilities; PIRs; customer notification workflows.
• Physical Security: Data centers operated by vetted providers with industry‑standard controls.
• Personnel: Background checks as permissible; security training; confidentiality agreements.
• Vendor Management: Risk assessments and contractual controls for Sub‑processors.

Annex D — International Transfer Mechanisms

For transfers subject to GDPR/UK GDPR, the parties incorporate by reference the EU Standard Contractual Clauses (Controller‑to‑Processor, Module 2) and, where applicable, the UK International Data Transfer Addendum (or equivalent). Appendices will reflect the details from Annexes A–C and the Sub‑processor list.

Signatures

This DPA is effective as of the effective date of the Agreement or the date on which Customer accepts the DPA, whichever is earlier.